On July 6, 2011, the University of California at Los Angeles Health System (UCLAHS) reached a settlement with HHS's Office of Civil Rights (OCR) regarding UCLAHS's potential violations of HIPAA Privacy and Security Rules. The settlement includes a payment of $865,500 and a corrective action plan (CAP).

According to the HHS press release, this settlement "resolves two separate complaints filed with OCR on behalf of two celebrity patients who received care at UCLAHS. The complaints alleged that UCLAHS employees repeatedly and without permissible reason looked at the electronic protected health information of these patients. OCR’s investigation into the complaints revealed that from 2005-2008, unauthorized employees repeatedly looked at the electronic protected health information of numerous other UCLAHS patients."

We reported on possible privacy violations at UCLA Health System before. Specifically, in May 2010, we wrote about Huping Zhou, a UCLAHS employee who was the first person to receive a criminal conviction for a HIPAA violation. It is not surprising that OCR stressed the importance of training staff in prevention of such privacy violations in the CAP required by the settlement. The CAP "requires UCLAHS to implement Privacy and Security policies and procedures approved by OCR, to conduct regular and robust trainings for all UCLAHS employees who use protected health information, to sanction offending employees, and to designate an independent monitor who will assess UCLAHS compliance with the plan over 3 years."

Through policies and procedures, entities covered under HIPAA must reasonably restrict access to patient information to only those employees with a valid reason to view the information and must sanction any employee who is found to have violated these policies.

<...> Covered entities need to realize that HIPAA privacy protections are real and OCR vigorously enforces those protections. Entities will be held accountable for employees who access protected health information to satisfy their own personal curiosity,” said Director Verdugo.

Covered entities are responsible for the actions of their employees. This is why it is vital that trainings and meaningful policies and procedures, including audit trails, become part of the everyday operations of any health care provider,” said OCR Director Georgina Verdugo. “Employees must clearly understand that casual review for personal interest of patients’ protected health information is unacceptable and against the law.”